Join a PC to a specific OU?

  • Thread starter Thread starter Gerry Hickman
  • Start date Start date
G

Gerry Hickman

Hi,

I have a pure AD Win2k network with some OUs. How can I manually join a
client PC to the domain to a specific OU?

I'm aware of Unattend facilities for this, but how can I do it sitting
at the PC?
 
Hi Gerry

Netdom.exe (part of the support tools on the CD) can do this from the
command line. I would recommend that you create a dedicated user for this
and use the delegation of control wizard to allow it to create and delete
computer objects in the specific OUs you want.

Hope this helps

Oli
 
Oli said:
Netdom.exe (part of the support tools on the CD) can do this from the
command line.

Right, that does mean it will only work (interactively) on stations with
netdom installed though.

I find the lack of an OU field in the GUI very odd, when you think Win2k
was designed to work with AD. Even more strange is that (apparently) XP
does not have this facility either.
I would recommend that you create a dedicated user for this
and use the delegation of control wizard to allow it to create and delete
computer objects in the specific OUs you want.

This sounds good. At present I have a domain admin account but strangely
if I unjoin a workstation it refuses to delete the computer account in
AD. If I go to "Active Directory Users and Computers" on the Admin
station it lets me delete it without a problem.
 
Gerry Hickman said:
Right, that does mean it will only work (interactively) on stations with
netdom installed though.
Yes. Since I'm doing the domain join as part of an unattended build, I just
include the netdom.exe file as part of the build. If you're looking for a
way to add machines that have already been built to a specific OU, then I'm
not sure.

What you're really looking for is a way to specify in Active Directory which
should be the default container/OU to add machines to. It's probably
possible to do that. Perhaps one of the Directory Services guys might
know -- a repost in microsoft.public.windows.server.active_directory might
do the trick.

It would be really cool if you could somehow use a WMI filter specified
using AD that could determine the correct default OU for a machine.
I find the lack of an OU field in the GUI very odd, when you think Win2k
was designed to work with AD. Even more strange is that (apparently) XP
does not have this facility either.
I think most people would find it confusing, to be honest. Most people
would not get the LDAP path correct if you had to type it by hand. To
provide a browse button, you'd need to authenticate against AD first.

While most small businesses I know will go to the keyboard of the machine to
do a domain join, bigger companies are more likely to create the machine
account in the correct OU and then let the end user do the domain join
themselves. Then again, the default of allowing 10 domain joins per user
doesn't tie up with this, as it doesn't have any administrative involvement.
You really don't want people dumping new machines into your computers
container.

As you've probably realised, you can't apply a GPO to the computers
container (because it's a container). So, if you want a GPO to apply here,
you have to apply it at the site or domain level, at which point it's going
to get applied to your servers and probably several other machines you don't
want to hit.

Regards

Oli
 
See http://support.microsoft.com/default.aspx?kbid=324949

A new feature in Windows 2003 is you can redirect the Computers container to
an OU. It doesn't give you the flexibillity to put the computers into
different OUs but at least you can add the computer to an OU which has the
appropriate GPOs applied, rather than having to worry about applying and
fitlering GPOs at the domain level.

We don't use this though - all our PCs are added through RIS and we use
menus to choose which OU to add them into.
 
Thanks very much for the info, Brendon.

Oli


Brendon Rogers said:
See http://support.microsoft.com/default.aspx?kbid=324949

A new feature in Windows 2003 is you can redirect the Computers container
to
an OU. It doesn't give you the flexibillity to put the computers into
different OUs but at least you can add the computer to an OU which has the
appropriate GPOs applied, rather than having to worry about applying and
fitlering GPOs at the domain level.

We don't use this though - all our PCs are added through RIS and we use
menus to choose which OU to add them into.
 
Hi Oli,
What you're really looking for is a way to specify in Active Directory which
should be the default container/OU to add machines to.

No, the way I see it is that there should be a third box called "OU"
that you can fill in when joining a computer to a domain.
It would be really cool if you could somehow use a WMI filter specified
using AD that could determine the correct default OU for a machine.

But I'm joining it manually, and I know where I want to put it!
I think most people would find it confusing, to be honest.

But surely most people who have been assigned the task of joining
computers are capable of such things? If they're not, they could just
leave the field blank and it would join to the root.
Most people
would not get the LDAP path correct if you had to type it by hand. To
provide a browse button, you'd need to authenticate against AD first.

I do understand what you're saying here. I was thinking most enterprises
would have their ou's directly below their root - this would only
require one word in a text box e.g.

Domain_Root
- OU1
- OU2

It's not hard to type "OU2" if you want to join to the second OU? As you
say though, an LDAP string would more complicated, but it's still not
rocket science - they can leave the box blank if they want.

Actually the more I look at this, the more I'm wishing I'd kept a
separate "resource" domain. When we did our Win2k migration we disolved
all the child domains and put the AD in head office (using OUs instead).
Trouble is, there's a few things cropping up now that don't work too
well with OUs.

1. Policies - head office say we can't "block" theirs even if they conflict
2. Software - lots of software can operate on "domains" but not on "OUs"
3. Joining - as above you really need to be a domain admin for the whole
thing
4. Network browsing (Entire Network) is still "flat file", the fact the
PCs are in different OUs doesn't help. When they were in domains they
each had their own subtree.
 
Gerry Hickman said:
But surely most people who have been assigned the task of joining
computers are capable of such things? If they're not, they could just
leave the field blank and it would join to the root.
Much of the GUI in Windows is aimed at the lowest common denominator and is
designed to be easy to learn. If you want to do something a little more
adventurous, scripting is the way to go (although it would be nice if
netdom.exe was part of the defaul installation).
I do understand what you're saying here. I was thinking most enterprises
would have their ou's directly below their root
I don't!

I think an extra box would have been useful, but it's not there, so we just
have to live with that.
1. Policies - head office say we can't "block" theirs even if they
conflict Yep.
2. Software - lots of software can operate on "domains" but not on "OUs"
Can you clarify. I don't get what you mean here.
3. Joining - as above you really need to be a domain admin for the whole
thing
Aaaaagh! Why do you need to be a domain admin? I administer my whole
network without needing to log in as a domain admin. My regular work
account is not a domain admin. I don't log in to member servers with a
domain admin account and I sure as hell don't join workstations to the
domain using a domain admin account!
4. Network browsing (Entire Network) is still "flat file", the fact the
PCs are in different OUs doesn't help. When they were in domains they each
had their own subtree.
The computer browser service is turned off on every machine in my domain, so
I don't have that issue.

Start | Run | \\machinename works great!

Regards

Oli
 
Much of the GUI in Windows is aimed at the lowest common denominator
and is designed to be easy to learn. If you want to do something a
little more adventurous, scripting is the way to go (although it would
be nice if netdom.exe was part of the defaul installation).

I don't!

I think an extra box would have been useful, but it's not there, so we
just have to live with that.

Can you clarify. I don't get what you mean here.

Aaaaagh! Why do you need to be a domain admin? I administer my whole
network without needing to log in as a domain admin. My regular work
account is not a domain admin. I don't log in to member servers with
a domain admin account and I sure as hell don't join workstations to
the domain using a domain admin account!

The computer browser service is turned off on every machine in my
domain, so I don't have that issue.

Start | Run | \\machinename works great!

Regards

Oli

There is a way for you to enter computers to a spacific ou but it has to
be done when you first log in at the text mode. There is a file on the
server you must configure. Choice.OSC

If you removed these entries on the RIS then you will get more options
and one of them is to name the computer and to choose which OU the
computer must reside in.

<meta server action="DNRESET">
<meta server action="FILTER CHOICE">


Regards.
 
Oli said:
Much of the GUI in Windows is aimed at the lowest common denominator and is
designed to be easy to learn. If you want to do something a little more
adventurous, scripting is the way to go (although it would be nice if
netdom.exe was part of the defaul installation).

In most scenarios this is fine, however certain dialogs can only be
seen/changed when an administrator is logged in and I see no reason
these dialogs would need to be over simplistic.

So what do you have before the OUs in your tree?
Can you clarify. I don't get what you mean here.

e.g. Anti-Virus software, SMS 2.0. It's got things like install/monitor
whole domain x, domain y, but it doesn't allow you to only install to
ou1, ou2 etc. Probably the same in things like HFNetchkPro. If ou1 wants
to use SUS and ou2 wants to use Shavlik, this could be an issue.
Aaaaagh! Why do you need to be a domain admin? I administer my whole
network without needing to log in as a domain admin. My regular work
account is not a domain admin. I don't log in to member servers with a
domain admin account and I sure as hell don't join workstations to the
domain using a domain admin account!

My regular work account is a user account. I think people are idiots
that check their email logged in as domain admin! I also don't log into
member servers as domain admin. I don't put domain admin passwords in
scripts etc. The only time I use it is for joining/unjoining machines.
I'm not allowed to create new accounts on the domain and some user
accoutns can only join 10 machines before croaking, so I'm not sure the
correct way to do this. I also need to delete the old account when
unjoining and I thought I needed admin rights to do that? I'm not a
local admin on any of the DCs, and am not allowed access to the DCs.
The computer browser service is turned off on every machine in my domain, so
I don't have that issue.

Hehe, that's one way of solving it!
Start | Run | \\machinename works great!

It's not great when you don't know the machine name.
 
Back
Top